Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 1)


If you would like to read the next part in this article series please go to Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 2)

 

Remote Access is one of today’s “big things”. As an increasing number of people need access to information stored on work and home computers, the ability to access that information from anywhere is critical. Gone are the days when you could say “I’ll get that information to you when I get to my computer”. You need that information now if you want to be competitive in today’s business environment.

In the stone age of computing, the way to remotely access information on your computer was to use a dial-up connection. RAS dial-up connections worked over regular POTS (Plain Old Telephone Service) lines and had speeds that ranged up to around 56kbps. Speed was a major problem with dial-up RAS connections, but an even bigger problem was the cost of the connections when a long distance number was required for access.

With the introduction and growth of the Internet, dial-up RAS connections became less relevant. The reason for this was the introduction of virtual private network (VPN) connections. VPN connections provided the same point to point connectivity that the dial-up RAS connections provided, but did so faster and cheaper, as the speed of the VPN connection could be as fast as the Internet link and the cost of the connection is independent of the destination. The only cost is that of the Internet link.

Virtual Private Networking

A VPN connection allows a computer to establish a virtual and private connection to a network over the Internet. The connection is virtual because when the computer establishes a VPN connection over the Internet, the computer making the VPN connection acts like a node that’s directly connected to the network, as if it had an Ethernet cable connected to that network. The user can access all the same resources he could connect to as if he were directly connected to the network. However, in the case of the VPN client connection to a VPN server, the connection is a virtual one because there is no actual Ethernet connection to the destination network. The connection is private because the contents of the datastream moving inside the VPN connection are encrypted so that no one over the Internet is able to intercept and read the contents of the communications moving over the VPN link.

Windows Servers and clients have supported VPN connections since the days of Windows NT and Windows 95. While Windows clients and servers have supported VPN connections for over a decade, the type of VPN support has evolved over time. Windows Vista Service Pack 1 and Windows Server 2008 now support three types of VPN connections. These are:

  • PPTP
  • L2TP/IPSec
  • SSTP

PPTP is the Point to Point tunneling protocol. PPTP is the simplest method you can use to establish a VPN connection, but unfortunately it is also the least secure. The reason why PPTP is the least secure option is that user credentials are not exchanged over a secure link. That is to say, encryption of the VPN connection takes place after credentials are exchanged. Even though actual credential information is not transmitted between VPN client and server, the hash values exchanged can be leveraged by sophisticated hackers to gain access to VPN servers and connect to corporate networks.

A more secure VPN protocol is L2TP/IPSec. L2TP/IPSec was a joint development between Microsoft and Cisco. L2TP/IPSec is more secure than PPTP because a secure IPSec session is established before credentials are sent over the wire. Hackers are not able to access the user credentials and thus cannot steal them to use them later. More importantly, IPSec provides for mutual machine authentication, so that untrusted machines are not able to connect to the L2TP/IPSec VPN gateway. IPSec provides for mutual machine authentication, data integrity, confidentiality, and non-repudiation. L2TP supports PPP and EAP user authentication mechanisms, which allows for a high level of log on security because both user and machine authentication is required.

Windows Vista SP1 and Windows Server 2008 now support a new VPN protocol – Secure Socket Tunneling Protocol or SSTP. SSTP uses SSL encrypted HTTP connections to establish a VPN connection to the VPN gateway. SSTP is secure because user credentials are not sent until after a secure SSL tunnel is established with the VPN gateway. SSTP is also known as PPP over SSL, so this means that you can use PPP and EAP authentication mechanisms to make your SSTP connection more secure.

Privacy is Not Security

I should note here that VPN connections are more about privacy than security. While I do recognize that privacy is a major component of secure communications, privacy in and of itself does not provide security. VPN technologies provide for privacy of communications over the Internet, which prevents intruders from reading the contents of your communications. VPN technologies also allow you to make sure that only authorized users can connect to the network through the VPN gateway. However, privacy, authentication and authorization do not provide a comprehensive security solution.

For example, suppose you have an employee who you have granted VPN access. Since your Windows Server 2008 VPN protocols support EAP user authentication, you decided to deploy smart cards for your users and use the L2TP/IPSec VPN protocol. The combination of smart cards and L2TP/IPSec help insure that strong machine and user authentication is required. Your smart card and L2TP/IPSec solution works well and everyone is happy.

Everyone is happy until one day one of your users connects to your SQL server to access payroll information and starts to share that information with other employees. What happened? Wasn’t the VPN connection secure? Yes, the VPN connection was secure to the extent that it provided privacy, authentication and authorization – but one thing it did not provide was access control, and access control is the most pivotal aspects of computer security. In fact, it can be argued that without access control, all other security measure are of relatively little value.

For a VPN solution to be truly secure, you need to make sure your VPN gateway is able to perform user/group based access controls so that you can implement least privilege access to VPN users. Advanced VPN gateways and firewalls like the ISA Firewall can perform this type of strong user/group based access control on VPN connections. In addition, advanced firewalls like the ISA Firewall can perform stateful packet and application layer inspection on VPN client connections.

Even though the Windows Server 2008 VPN server does not provide for user/group access controls, there are other ways you can implement strong access controls on the data servers themselves if you do not want to pay for an advanced firewall and VPN gateway. In this article we are focusing only the VPN server component. If you would like to learn more about the ISA firewall and its advanced VPN server capabilities, check out www.isaserver.org

Why Introduce a New VPN Protocol?

Microsoft already had two viable VPN protocols that allowed users to connect to the corporate network, so why introduce a third one? SSTP is a great advance for Windows VPN users because SSTP does not have the problems with firewalls and NAT devices that PPTP and L2TP/IPSec have. In order for PPTP to work through a NAT device, the NAT device needs to support PPTP through a PPTP “NAT editor”. If there is no NAT editor for PPTP on the NAT device, the PPTP connections will fail.

L2TP/IPSec has problems with NAT devices and firewalls because the firewall needs to have the L2TP port UDP 1701 open outbound, the IPSec IKE port, UDP 500 open outbound, and the IPSec NAT traversal port, UDP 4500 open outbound (the L2TP port is not required when using NAT-T). Most firewalls in public places, such as hotels, conference centers, restaurants, and other locations only allow a small number of ports open outbound, such as HTTP, TCP port 80 and HTTPS (SSL), TCP port 443. If you need support for protocols other than HTTP and SSL when you leave the office, you are playing a game of dice. You may or may not get the required ports needed for PPTP or L2TP/IPSec.

In contrast, SSTP VPN connections are tunneled over SSL using TCP port 443. Since all firewalls and NAT devices have TCP port 443 open, you will be able to use SSTP from anywhere. This greatly simplifies the life of the road warrior who needs to use VPN connections to connect to the office, and also makes life a lot easier on the lives of the corporate admin who needs to support the road warrior, as well as the help desk people at the service providers who provide Internet access for hotels, conference centers, and other public locations.

The SSTP Connection Process

The following shows how the SSTP connection process works:

  1. The SSTP VPN client establishes a TCP connection with the SSTP VPN gateway between a random TCP source port on the SSTP VPN client and TCP port 443 on the SSTP VPN gateway.
  2. The SSTP VPN client sends an SSL Client-Hello message, indicating that the SSTP VPN client wants to establish an SSL session with the SSTP VPN gateway.
  3. The SSTP VPN gateway sends its computer certificate to the SSTP VPN client.
  4. The SSTP VPN client validates the computer certificate by checking its Trusted Root Certification Authorities certificates store to see if the CA certificate that signed the server certificate is located in that store. The SSTP VPN client then determines the encryption method for the SSL session, generates an SSL session key and encrypts it with the SSTP VPN gateway’s public key, and then sends the encrypted form of the SSL session key to the SSTP VPN gateway.
  5. The SSTP VPN gateway decrypts the encrypted SSL session key with the private key of its computer certificate’s private key. All future communication between the SSTP VPN client and the SSTP VPN gateway is encrypted with the negotiated encryption method and SSL session key.
  6. The SSTP VPN client sends an HTTP over SSL (HTTPS) request message to the SSTP VPN gateway.
  7. The SSTP VPN client negotiates an SSTP tunnel with the SSTP VPN gateway.
  8. The SSTP VPN client negotiates a PPP connection with the SSTP server. This negotiation includes authenticating the user’s credentials using standard PPP authentication methods (or even EAP authentication) and configuring settings for Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) traffic.
  9. The SSTP client begins sending IPv4 or IPv6 traffic over the PPP link.

For those of you who are interested in the characteristics of the VPN protocol architecture, you can see that in the figure below. Notice that SSTP has an additional header compared to the other two VPN protocols. That because there is HTTPS encapsulation in addition to the SSTP header. L2TP and PPTP don’t have application layer headers encapsulating the communication.


Figure 1

We will use a simple three machine example network to show how SSTP works. The names and characteristics of the three machines are:

Vista:
Vista Business Edition
Vista Service Pack 1
Non-domain member

W2008RC0-VPNGW:
Windows Server 2008 Enterprise Edition
Two NICs – Internal and External
Domain member

WIN2008RC-DC:
Windows Server 2008 Enterprise Edition
Domain Controller of MSFIREWALL.ORG domain
DHCP Server
DNS Server
Certificate Server (Enterprise CA)

Notice that you must use Vista Service Pack 1 as the VPN client. While there have been discussions in the past about Windows XP Service Pack 3 supporting SSTP, this may not end up being the case. I recently installed the release candidate for Windows XP Service Pack 3 on a test machine and found no evidence of SSTP support. This is a real shame, as there is a large installed based of Windows XP on laptop computers, and the common consensus at this time is that Vista is too slow for laptop use at this time. Perhaps the Vista performance problems will be rectified with Vista Service Pack 1.

The high level configuration of the example network is seen in the figure below.


Figure 2

Summary

In this article we went over a short history of remote access communications to computer networks. We then discussed the major VPN protocols supported by Windows servers and clients, and then went over some of the security issues with the traditional Windows VPN protocols. We then looked at how SSTP solves the security and accessibility issues presented with PPTP and L2TP/IPSec. Finally, we took a short look at the lab network we will be using in the next article, which will be all about putting together a simple SSTP VPN client and server solution using Windows Server 2008 and Windows Vista Service Pack 1. See you then! -Tom.

If you would like to read the next part in this article series please go to Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 2)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top